First "Zoom bombings" reported
March 17 | First news article I can find
The Verge Reporter Casey Newton and investor Hunter Walk hosted a public zoom call daily called WFH Happy Hour. A troll joined their call and began to screen share horrifying and inappropriate images to all the many participants. Although it probably happened before, this appears to be the first time it got mainstream media coverage, and it just grew from this point.
March 24 | Date of Discovery
iOS app sends data to Facebook
March 26 | Date of Discovery
The Zoom developers implemented the whole of the Facebook SDK into the app. This was done so they could have the login with Facebook button on their app. This meant that the Facebook SDK would start up with the app and collect data for Facebook. It’s hard to fully blame the developers here when Facebook is the one collecting the data, but they did implement this SDK into their app without fully checking to see what it could do. Maybe it’s simply a slip in their procedure or maybe a flaw in their procedure.
Zoom fixes Facebook data collection
March 27 | Date fixed
Zoom removes the Facebook SDK and implements login with Facebook in a safer way. They apologize and call it an “oversight”. Again, this entirely could be an oversight and was fixed very quickly.
March 29 | Date Changed
FBI warns about Zoom bombing
March 30 | Date of Warning
By this point zoom bombings are common and in the media alot. The FBI gives recommendations designed for schools on how to avoid Zoom bombing. These are basically the same recommendations the media was also giving to prevent Zoom bombing.
NY Attorney General Investigates Zoom
March 30 | Date of letter sent
New York State Attorney General sent a letter to Zoom asking about their security measures, any changes they’re making, and some specific issues. This expresses the first major concern of the government over security issues.
First Zoom lawsuit
March 30 | Date Filed
The case is Cullen v. Zoom Video Communications. This is alleging that they are sharing user data illegally to Facebook under the CCPA. This is basically saying the issue with sending data to Facebook in their iOS app is illegal under California consumer data protection laws.
Sketchy MacOS installation
March 30 | Date of Discovery
March 30th was not a good day for Zoom apparently, and their stock on that day would agree. This time twitter user @c1truz_ discovered that zoom’s installer on macOS uses the code that MacOS installers run beforehand to check if a system is compatible to install the software. This is not really appropriate to do and allows for software to be installed without any user input. It’s also worth noting that this is how Mac Malware installs. It’s just interesting that Zoom acts as Malware. This also shows more that the Zoom team appears to be inexperienced or unprepared despite being a 9-year-old company.
Directory system leaks emails
March 31 | Date of Discovery
Zoom had a system were all emails of the same domain would show up in their directory in the Zoom app. So firstname.lastname@example.org could see email@example.com and the other way around in the directory. But, if firstname.lastname@example.org and email@example.com were registered they couldn’t see each other. Well, it didn’t work for some email domains, there were some dutch isp’s whose email addresses showed up in the directory system. Basically, emails were leaked through their directory system but only some obscure ones. Although, this just seems like more lazy development.
Not really end-to-end encryption
March 31 | Date of Discovery
Zoom claimed to use end-to-end encryption. They don’t. They use transport encryption, basically in-between encryption. It means that like with end-to-end if someone intercepted your call it would be encrypted and they wouldn’t be able to see anything. But, if someone at zoom wanted to see your recording they could see it unencrypted. End-to-end encryption tends to be the industry standard and not only isn’t available with Zoom, but they claim it is. Either these developers aren’t careful or experienced or there is malintent. With all these mistakes or malintent it becomes hard to trust the company.
Second Zoom lawsuit
March 31 | Date Filed
This lawsuit is for the same thing as the first lawsuit. It’s again about the user data being sent to Facebook from the Zoom app. The source here is just a Dropbox article of the legal documents, because a second lawsuit over the same thing isn’t newsworthy.
Zoom exploit to take Windows password
March 31 | Date of Discovery
A Zoom exploit was discovered that could be used to steal a Windows user’s username and password. The exploit involves sending a link in zoom chat that when clicked will use the windows SMB protocol to attempt to login to a remote system. To login to the system, it will use the user’s windows credentials in a sort of secure way which the hacker could then easily crack. So, in summary, if a user clicks this link in a Zoom chat it will send their username and password to a remote hacker.
Password exploit possible on Mac?
April 1 | Date of Discovery
I can’t entirely verify the reliability of this, but the basic idea makes sense to me. It’s done in basically the same way as the windows credentials exploit, just using the Mac version of SMB, and is plausible.
Zoom's big response and apology
April 1 | Apology Day
The biggest part of this is that they decided to freeze feature updates for 90 days while they focus on security. They also decided to consult 3rd party experts to analyze their security. They launched a weekly webinar as well to go over privacy and security updates. Of course they make the necessary apology for everything they’ve done in March. This all seems really good, like they are really trying to make things better at Zoom Video Communications.
Elon Musk's SpaceX bans Zoom
April 1 | Date of Discovery
SpaceX sent out an Email on March 28th telling it’s Employees not to use Zoom, and that they disabled it on employees computers. This was one of the first public instances of a company banning Zoom, and is an important move. As far as anyone can see this is just a precaution from SpaceX, but potentially important because if there is anything else wrong with Zoom, or any data being stolen this is the best way to be protected. The article also mentioned that a NASA spokeswoman saying NASA isn’t using Zoom either.
Former NSA Hacker finds more vulnerabilities
April 1 | Date Disclosed
The 2 bugs allow for a hacker with physical control of a computer could use the Zoom vulnerabilities to take control fo a computer and gain root access where they can install malware and spy on the webcam or microphone.
Zoom fixes root vulnerabilities
April 2 | Date Fixed
Zoom again quickly fixes their mistake and apologies. This was the 2 bugs discovered by the former NSA hacker. It really shows their focus on features before security.
MacOS installation fixed
April 2 | Date Fixed
Zoom again quickly fixes the issue after it’s pointed out by the media. This was obviously something they meant to implement in the first place, but they did decide to change it to how it should be. It’s good that they fix it, but man they just keep having issues.
Zoom displays LinkedIn profile
April 2 | Date of Discovery
A data-mining tool was used to find certain Zoom users’ LinkedIn profiles. They have to have a service called LinkedIn Sales Navigator. This is a pretty obscure issue, but is just another one there.
Tool can find unprotected Zoom meetings
April 2 | Day Designed
14% of the time this tool will find a real Zoom meeting ID, and also find 100 meetings in an hour. This is just another thing that should encourage people to properly protect their meetings, since a tool like this would probably be developed for any popular conferencing program.
April 3 | Day of Discovery
Zoom had developed its own encryption to use which is technically AES-128 in ECB mode. That’s a bunch of technical stuff that doesn’t really matter, but what does is it just isn’t very secure, and they claimed to be using AES-256 which they just aren’t using. This just isn’t as secure as it should be and they claimed it was. This encryption mistake is just either another one of their terrible security mistakes, or maybe—and this is a little conspiracy like—they are purposefully leaving data not well and fully encrypted (I don’t necessarily actually really believe this). The report also brought up concerns over some data being sent through China and governments targeting Zoom for intelligence gathering.
Zoom responds to encryption and China
April 3 | Day of Response
In response to their lackluster encryption Zoom accepted that it was bad, apologized for it being bad and says they’ll get to fixing it, ok. That’s good, I guess. Now it’s time for their response to sending data through China. Zoom said the plan was to keep geofencing around China, not letting calls outside of China go into China, and not letting calls inside of China go out of China. While dealing with increased demand in February they accidentally added two new data centers in China to a list of data centers out of China so some calls at busy times could be routed through China. They assured us that this did not affect Zoom for Government. The reason that matters is that when web traffic goes through China, we don’t put it past the Chinese government to snoop. And now quitzoom.com is not getting through the Chinese firewall (if it even would before). Oh well.
US Congress sends a letter to Mr. Eric Yuan
April 3 | Date of letter sent
Some members of the United States Congress wrote a letter to Mr. Eric Yuan, CEO of Zoom asking about their data collection overall and related to specific instances. For example they asked about what data they collect from users with an account and for how long. Users without an account? They also ask if attendees are made aware of certain features turned on by the host. This letter could have had some affect because some of these features were removed, but what I want to know is Zoom’s response to this letter.
Easily find Zoom calls on internet
April 3 | Date of Discovery
The Washington Post found out that Zoom automatically uses a very predictable naming scheme for recordings of Zoom meetings which made it very easy to find recordings, sometimes private ones, online. The specific instance mentioned by the Post uses unprotected Amazon buckets. The only fault with Zoom here is that they don’t force you to name recordings, but this is really a tiny nitpick. I’m not saying much but I will say using just that information and some Googling I found exactly what they referenced in the article. To be a good internet citizen I’m not telling you how to do it, but I will say my email is firstname.lastname@example.org.
Note (added 4/16): These have to be recordings recorded then uploaded somewhere seperate from Zoom’s cloud. Someone could unknowingly upload them to somewhere exposed, but they do have to purposefully take action for this to happen. The best place to upload recordings is a private Dropbox, Google Drive, or similar file sharign service set to private. YouTube unlisted is usually fine.
Third Zoom lawsuit
April 3 | Date filed
Another class-action lawsuit filed against Zoom. This one fights the same one as the others, the iOS app sending data to Facebook, the claim of end-to-end encryption and a webcam vulnerability.
Eric Yuan makes another apology
April 4 | Date of Apology
Zoom CEO Eric Yuan basically apologizes for everything thus far in an interview with the Wall Street Journal.
Zoom enables passwords by default
April 4 | Date of Update
Zoom turned on passwords and waiting rooms by default on free accounts, single user accounts, and education accounts. That’s good and secure. It just is. A round of applause to Zoom for this one, I have no criticism.
New York City school's ban Zoom
April 4 | Date Announced
The New York City Department of Education made the move to ban teacher’s use of Zoom for live teaching and other educational uses in the city. They did this because of security and privacy concerns and is a great move toward being more careful of Zoom. There are concerns with this though, because it will most certainly disrupt the education patterns teachers have set up now using Zoom, which just isn’t good.
EPIC asks for an FTC investigation
April 6 | Date of letter sent
EPIC stands for Electronic Privacy Information Center and they wrote an open letter to the FTC asking for an investigation into Zoom’s security and privacy issues. This is a large step in the right direction, if government and government agency’s get involved we can find out if we should be using zoom—and maybe we should, I’m just saying we can’t know for sure right now.
Zoom furthering government lobbying
April 6 | Date of interview
Really this is fair to expect from a company that is in an envrionment with a lot of legal pressure and in a new day and age of COVID-19.
Zoom accounts on dark web
April 6 | Date of Discovery
Zoom accounts were found being sold by hackers on the Dark Web. This is nothing to blame Zoom over, this happens for all programs and it just is a reminder to use different passwords, maybe a password manager, and check haveibeenpwned.
Taiwan bans government use
April 7 | Date of Ban
The Taiwan Executive Yuan—not to be confused with Zoom’s Eric Yuan—is a Taiwanese government branch and has ordered the government to stop using Zoom and be more careful about their video conferencing tools. I think that’s important, we as a society need to be careful of what we sign up for and use. This is also a good move from a government as they wouldn’t want any secrets exposed through inadequate encryption or other Zoom shortcomings.
Fourth Zoom lawsuit
April 7 | Date Filed
This lawsuit, filed by a shareholder of Zoom, alleges that Zoom has “inadequate data privacy and security measures.” This lawsuit did make the news, even though the second and third didn’t and I think it’s just because there was less other news around April 7.
First Zoom security webinar hosted
April 8 | Date of Webinar
Zoom called this the “Ask Eric Anything Webinar” and it was hosted on Zoom and streamed on YouTube. As far as I can tell he answered questions from people in the Zoom webinar. He said Zoom will update their encryption to be standard AES-256 as it should be with keys generated by the users. He also said the only data taken from meetings is metadata to help with analytics, which is very assuring to hear. It was also mentioned they disabled the file sharing feature to investigate a security issue with the feature which is great. They really do appear to be trying to improve.
Meeting IDs removed from title bar
April 8 | Date Updated
Zoom updated the software to remove the meeting ID from the top of the Zoom window during Meetings. This makes it harder for anyone to share the meeting ID. That’s both good and bad. Good because it makes it harder for people to quickly share meeting IDs and plan “Zoom bombing raids.” This is bad though because people won’t be able to allow their friends to join meetings as easily, but I see this all as good because this is the first time we see zoom really choosing security over ease of use. That is absolutely a step in the right direction and maybe more of this will make Zoom a safely usable software.
NPR interview with Eric Yuan
April 8 | Date of Interview
Let me just share with you what he said: “When it comes to a conflict between usability and privacy and security, privacy and security [are] more important – even at the cost of multiple clicks.” That is brilliant, not only are their actions saying that they want to focus on security, but now their words are too. It looks good for Zoom coming back and becoming a truly secure platform. I would encourage you to read the interview because it does help you understand what it has been like for Zoom and Yuan.
Zoom hires former Facebook Security Officer
April 8 | Date Announced
I would like to start this off by saying that I have nothing against Alex Stamos, who Zoom hired. Stamos used to be the Security Officer for Facebook and Yahoo, and he is probably really good at his job. But if I were Zoom I wouldn’t hire someone who managed Facebook’s security because they don’t have the best security record. This probably is a good thing for Zoom though and it probably will improve their security, it just didn’t make for good headlines.
Zoom bugs being sold for high prices
April 8 | Date of Discovery
This makes perfect sense, when you have popular software you will have people finding and selling bugs. We can only hope Zoom is also finding bugs and fixing them—hopefully.
Google bans Zoom
April 8 | Date of Discovery
In an email sent to Google employees in the week of March 30, Google told employees not to use Zoom on work laptops and that the program would stop working soon. This adds to the list of companies doing this which also includes SpaceX and Nasa. This is a good move for a company that wants to keep machines and secrets safe.
German Foreign Ministry bans Zoom
April 8 | Date Announced
This is just one part of the German government, but they made the decision to ban Zoom. The government said each ministry can make it’s own decision on this. This is just one of many examples of companies protecting their security and privacy by switching away from Zoom.
Singapore bans Zoom education use
April 9 | Date Announced
This is another instance of countries taking the lead as the Singapore Ministry of Education stopped the use of Zoom countrywide, but this time it wasn’t because of security issues but instead serious Zoom bombing in the schools. That’s a great reason to stop using the platform as well, but I could foresee them quickly bring Zoom back into education.
US Senate asked not to use Zoom
April 9 | Date of Discovery
This isn’t a ban, but due to security issues they asked senators not to use Zoom for remote work. Good.
DOD using Zoom for Government only
April 10 | Date of Discovery
Zoom has a special version for Government customers that uses special cloud servers. The US Department of Defense told it’s employees for work to make sure they use Zoom for Government and not the Free or Commercial options. The purpose of me mentioning this is mostly to just explain the existence of Zoom for Government.
Zoom Security Webinar #2
April 10 | Date of Discovery
This is the second week of the “ask Eric anything” webinar. He summarized everything they did for security in the week before and announced reporting a user to come on 4/18. He said that all accounts will have wating rooms and passwords on by default and education accounts will require it. That’s important and fantastic for helping with security and Zoom bombing. While It’s not a perfect solution it is getting closer. He did announce some more, but that’s what’s signnificant. In the Q&A part he said they are working on improving their 256-AES encrpytion—I’m working on seeing if they ever switched from 128- to 256-bit. This does make me think that Zoom is trying to improve, but every time they fix something it seems there is something new, so I’m just not satisfied with it yet.
Control countries routed through
April 13 | Date of Announcement
The feature will come on Saturday (4/18). The feature allows for Paid users of Zoom—which doesn’t include most, if not all, school’s accounts—to restrict and select which country they want their call to be routed through. This is a great feature considering their encryption leaves the data unencrpyted in the data centers (or at least I think it still can be, they are not very clear about there encrpytion at all). This is an awesome security feature that is really just good for everyone, which brings me to the problems. Most people won’t know this, like many other secuirty features, exists and will not enable it. The other issue is that most people use Free Zoom and thus don’t have access to this feature at all, so maybe if we use software we should think about paying for it so we can get the best security features, and if we’re paying for it why not pay for something other than Zoom.
Cloud recording vulnerabilites discovered and fixed
April 16 | Date Disclosed
The vulnerabities allowed for a hacker to find Zoom calls that had been recorded with Zoom’s cloud service, which at the time didn’t require a password. Although his tool used the other vulnerability to use the URL to determine the password to some recordings. Often the videos found were still on Zoom’s server after the user had deleted them. The first fix Zoom pushed out on Saturday (4/11) which used a Captcha—you know the I’m not a robot thing—to stop the tool from working, but it didn’t fix either of the vulnerablities. On Tuesday (4/14) Zoom began requiring users to create complex passwords for cloud recordings, this made it so that the exploit that used the URL to determine that password wouldn’t work on new recordings that required this complex password. This technically didn’t fix either of the vulnerabilities, so recordings made before the change can still be seen if the hacker manually uses the exploits, but ones made after 4/14 are safe. I would like to share with you a quote the secuirty reseacher who discovered this said in an interview with CNET: “Zoom has not considered security at all when developing their software.” This may all seem bad, but there is a good, this time they fixed(-ish) the issue before it came to the public. Maybe we are getting close to a safe Zoom.